Title

Authors

Submitting Campus

Daytona Beach

Department

Security Studies & International Affairs

Document Type

Book Chapter

Publication/Presentation Date

2006

Abstract/Description

This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.

Publication Title

Advances in Digital Forensics II

DOI

https://doi.org/10.1007/0-387-36891-4_13

Publisher

IFIP/Springer

Additional Information

Dr. Craiger was not affiliated with Embry-Riddle Aeronautical University at the time this paper was published.